rancher-charts/charts/neuvector/103.0.0+up2.6.2/templates/scanner-deployment.yaml

103 lines
3.6 KiB
YAML

{{- if .Values.cve.scanner.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-scanner-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
strategy:
{{ toYaml .Values.cve.scanner.strategy | indent 4 }}
replicas: {{ .Values.cve.scanner.replicas }}
selector:
matchLabels:
app: neuvector-scanner-pod
template:
metadata:
labels:
app: neuvector-scanner-pod
{{- with .Values.cve.scanner.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cve.scanner.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.cve.scanner.affinity }}
affinity:
{{ toYaml .Values.cve.scanner.affinity | indent 8 }}
{{- end }}
{{- if .Values.cve.scanner.tolerations }}
tolerations:
{{ toYaml .Values.cve.scanner.tolerations | indent 8 }}
{{- end }}
{{- if .Values.cve.scanner.nodeSelector }}
nodeSelector:
{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.cve.scanner.priorityClassName }}
priorityClassName: {{ .Values.cve.scanner.priorityClassName }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: basic
serviceAccount: basic
{{- else }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
{{- if .Values.cve.scanner.runAsUser }}
securityContext:
runAsUser: {{ .Values.cve.scanner.runAsUser }}
{{- end }}
containers:
- name: neuvector-scanner-pod
image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}
imagePullPolicy: Always
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
{{- if .Values.cve.scanner.dockerPath }}
- name: SCANNER_DOCKER_URL
value: {{ .Values.cve.scanner.dockerPath }}
{{- end }}
{{- with .Values.cve.scanner.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{ toYaml .Values.cve.scanner.resources | indent 12 }}
{{- if .Values.internal.certmanager.enabled }}
volumeMounts:
- mountPath: /etc/neuvector/certs/internal/cert.key
subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/cert.pem
subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/ca.cert
subPath: {{ .Values.cve.scanner.internal.certificate.caFile }}
name: internal-cert
readOnly: true
{{- end }}
restartPolicy: Always
{{- if .Values.internal.certmanager.enabled }}
volumes:
- name: internal-cert
secret:
secretName: {{ .Values.cve.scanner.internal.certificate.secret }}
{{- end }}
{{- end }}